Datacom CISO Collin Penman on AI-powered threats and cyber fatigue
hello and welcome to CIO Leadership Live i'm Kathy O Sullivan editorial director for CIO in Australia and New Zealand and today I'm joined by Colin Penman who is the chief information security officer at Datacom thanks for being on the show today Colin oh thank you for Thank you Kathy for inviting me great stuff so look Datacom recently released its state of cyber security index and we'll get into the findings of the report shortly but first tell us a bit about your career in tech and the roles that have led you up to taking on the CISO position at Datacom oh that's that's a tough one to talk about yourself um I I I've always had a probably a foot in both camps i've been very technical at the same time as businessorientated and and that's shown within my past i started off actually maintaining and and restoring tal machines for telecom in Australia so I've seen certainly seen a lot of technology changes but those technology changes wouldn't have come unless there is a level of uh business and and moving forward the business from a from an engagement point of view so everything technology-wise has really been coupled from a business um and I've been uh very humbled by some of the companies that I've worked for not only telecom and Telstra but other companies like IBM Oracle um Salesforce in the early days and um areas where I started to be more focused from a CISO point of view is around uh Kindra in Australia New Zealand the spin out of the managed services from IBM and then from there joining joining Dataccom and uh leading Datacom as they transitioned and and really stood up a a C sees office internally so Datacom has released its state of cyber security index and have found that AIdriven cyber attacks are now the number one concern for security leaders so how do you think CIO should uh rethink their security posture to adapt to you know it's an ever evolving landscape um are are Australian and New Zealand businesses adapting fast enough i think they they're slowly maturing I would use the word but I'll take a step back because I think AI affects companies in a couple of different ways we see AI coming through the supply chain a lot of the products that we're actually using from a supply chain point of view now has AI actually embedded within those products that we're consuming that may be utilizing the data internally to learn and teach those products as an example so supply chain I certainly see um the requirement to not only include AI questionnaires as part of that supply chain risk point of view uh we we're starting to see it used internally obviously to to build out the business value from an applications point of view really reduce um you know a lot of the manual tasks repetitive tasks internally but actually to to really start to engage customers and our internal staff around what we can do better um around the applications that we have and then two things one is the defense from AI based security attacks so starting to look at how AI I helps us from a a cyber security point of view and then the way that we see and a lot of discussion is around AI utilized within cyber security from threat actors and we're really starting to see that not only from a fishing emails previously you would have seen a fishing email that was poorly worded or all the English wasn't spectacular um it's very very now targeted to the individuals using AI so those are the frameworks of what we're starting to see but I think back to your question around how CIOS really rethink I think they really need to think about their security posture the landscape that they're operating in from a market point of view adopt uh AI as part of that defense mechanism but the other thing is to upskill and educate the internal teams about the use of AI internally uh with external um AI providers and what does it mean from a development point of view as well yeah that's interesting the third party risk as well and it look it sounds like a lot of organizations think they're more secure than they actually are so what are some of those common blind spots that leave them exposed you know even when they think they're covered i think I mean certainly our index showed that there was a gap between where the leadership of organizations were versus the actual employees and and the the employees their awareness and the education training on the use of AI is certainly not there and I think that's I know where that's where our focus is in within dataccom is is not to stand up a separate artificial intelligence but how do we actually bring that into the current organization processes not only from a change management point of view but from a governance and security and even a cyber awareness training so that we actually now incorporate AI training and what does it mean to specifically the service desk from a deep fakes point of view or from a fishing point of view what do we have from a AI around uh fishing for uh our finance teams and what do we look for around that so really um it's to make sure that the development and the ecosystem around AI is is secure to educate the and upskill the teams but it's also around doing the right hygiene things you know patching um making sure we have early detection and continuous monitoring around some of the tooling and I know a lot of companies are moving towards a zero trust framework around multiffactor authentication and access to applications and certainly that's where AI also adds a lot of value Um and I found the um the findings on the report around the human impact of cyber security really interesting it showed that um 61% of security leaders in New Zealand and 58% in Australia are dealing with cyber fatigue so can you talk to us about you know what is causing that burnout what do you think organizations can do better to support their security teams i I I think cyber fatigue is tough right i mean we all take this personally as a a cyber professional if something happens to the organization we really do take it personally i think uh the causes of cyber fatigue is really that escalating threat landscape so it's continuously being ramped up and we're seeing more and more obviously adversaries trying to get into the organization not from a breach point of view but it's more from a compromise of users is the main main access point um but we started to see resource constraints budgeting uh from a business point of view has been very constrained we've seen that across a lot of the landscape of customers that we speak to but other things like a disconnect with leadership and and and the finding really shows that gap you know 71% of New Zealand leaders think that staff is cyber ready but only just over half or 51% of employees agree so there's always going to be a level of cyber education and awareness but I think also the employees are starting to be you know a bit numb to this and we're starting to see that tick and flick as far as compliance and the yearly annual attestation around cyber training so I think that's where we've really broken it down to smaller engagement gamification of individuals internally where they're doing from a cyber awareness point of view but also focusing on the profiles of the business so what do privilege access users what's their responsibility and what's the training that short training courses that we need to do with them throughout the year what are the developers from an AI point of view the use of AI open- source technologies from a libraries point of view what do we need to do from the training in that side but also going back into finance and HR who are very targeted within the organizations because they're receiving emails from people externally saying open my resume as an example so I think training is 100% there I think the other thing is that that lack of recovery time because we're getting you know so many incidents throughout the year we're not having the recover recovery time to actually focus on that mental health uh point of view from an organization now you spoke about it a bit there but you know we we we do hear that you know that disconnect and that employees are the weakest link in cyber security but you know you spoke about um training and um maybe that it's not the right level of training for um employees so what is the difference between a security training program that sticks and one that employees just tune out and and tick and forget yeah it's interesting once you come into an organization and see a culture and and certainly the way that we've looked at it is how does training stick and so certainly there's been a lot of engagement with third parties around um a learning styles of individuals and what the training we need to do from a cyber security point of view so that that training sticks with individuals and I think I I touched on role specific scenarios I think very specific within the business so it's just not a generic onefits-all type of scenario i think it if it's very tailored with the language and the nuances and examples of um incidents that have occurred specifically with um that specific uh portfolio or team within an organization that's what sticks um hands-on and interactive is also you know gamify that with leaderboards um and fishing drills as an example but it just can't be a one big uh awareness program for the year i think breaking it down into short more frequent doses um and swap it into like a a 5 to 10 minute because that's where people's um you know attitude as far as focus goes anything more than 10 minutes then it's the people have gone and the last one I think is that real world context with continuous feedback I think those are the things that really makes the cyber security program stick with individuals so another area that the report looked at was um around business continuity planning and cloud security and the research from datacom suggests that Australia is ahead in this area over New Zealand So what are Australian businesses doing differently and how can New Zealand companies catch up i think there's been a a a stronger regulatory push from an Australian point of view uh around the ACSC um and certainly they're reporting a larger increase of cyber inquiries um yearly around that but I think there's a a larger investment from a tech point of view i um I can't remember who actually spoke about it but effectively the cyber security firms uh Australian firms are spending you know 6.2 billion in cyber security in 2014 and that's a jump of over 14% from last year um but we see that that continuity planning only 26% of Australian leaders um lack BC business continuity plans compared to that of 67% in New Zealand and I think this is a key indicator i think Australia and the push from a a regulatory point of view but also the number of breaches that have actually occurred within the market Australian market has actually meant from the board down of these organizations there is a question of what are we doing from that resilience point of view and business continuity planning is is obviously where that fits into that governance of the organization i think finally around uh the cloud adoption um certainly Australia has has been probably a little forward as far as um cloud adoption and a multicloud strategy and I think um where New Zealand is coming into that fold now with the um obviously with Azure being in New Zealand we started to see a lot more focus on uh workloads moving to the cloud in New Zealand as well now the use of tools like um chat GPT and co-pilot is becoming more and more commonplace and I think your report found 40% of employees are now using these tools but less than a quarter of them have actually read their company's AI security policies so you know why do you think that AI governance piece is lacking behind actual AI adoption and what needs to change from that point of view i I I think there's a there's a few things here i think from an adoption of AI um really is outpaced a lot of the policy decisions and makers and so certainly with our team you know raising the level of maturity from AI awareness before we write a policy and actually engaging those teams who are doing a lot of application development and agent development um and we've started to see how do we actually communicate with people uh about the security risks and then actually have a policy discussion associated to that so realistically I think um there's been a outdated um security policies that hasn't actually included AI and my belief is that we shouldn't be standing up separate AI policies we should actually be embedding them in change management in in patching and and in data security and privacy as well i think um there's certainly a leadership blind spot as far as people wanting to adopt it um and thinking that we're they're ready but they haven't done the basics of for example data classification you know rolling out an internal AI agent for example that has complete access to all every data um and document internally you'd be surprised that you know people will go searching oh what's the payroll of this and this person or is this customer for example so I think um you know making sure that those blind spots and a pre-work is done um around uh data and risk but also the governance associated to that and I think the last one is around if there is policy that exists a lot of them are not AI ready so development is a great example of that um and also the supply chain which we've spoken about now Colin I know you speak to IT leaders all around Australia and New Zealand so I'm sure you encounter organizations that really are getting cyber security right although none of us is ever in you know impenetrable so what are the ones that are the best of breeds you know what what are they doing differently that you think others can learn from i think there's a few things i I I go back to um the blocking and tackling the cyber hygiene that we need to do it's no look no good looking at new shiny objects if we're not doing the vulnerability assessments we're not doing the patching we're not doing the the daily cyber hygiene and thinking of security first and so I would say those those are who are doing security very well have got those programs of cyber hygiene and the day-to-day activities and the cyber first mentality in the organizations i would say that they're doing that correct and it's and and it's very proactive from the board and the GLT down that it's very proactive and not reactive um and so people who are doing uh red teaming exercises regularly and doing fishing as an example and as I said doing that cyber awareness training not just once a year but breaking it down in multiple components and I think the other thing is around that uh employee empowerment the training and hands-on but how do you think those fishing drills are if there's a deep fake coming in through an AI uh coming through HR or into service desk team so there's always that constant uh employee employee empowerment to say how do I report this or ask the question uh you know to say this doesn't feel right how do I actually ask that and make a mechanism of of reporting and asking the question from a resilience point of view easier because if they have to go through multiple escalations and and report the incident and they want to know right now hey do I respond to this so making it easier for individuals around collaboration and um and the employee empowerment around that and and and don't don't be negative if they've actually called out something and it's actually wrong i think it's very empowering and and and taking that as a use case from a learning point of view um so always trying to act before the breach is a big one getting that leadership on board um and making training stick are probably the key indicators of a successful cyber security program and those companies that are doing it well so I've heard about CISOs being referred to as as the department of no and you know security is often seen as a cost or a blocker to innovations so how do you think CIOS or CISOs can reposition cyber security as that business enabler rather than just that defensive function yeah I I I think it's knowing the business like what what's the key indicators of the executives that we're working with as peers and what what are they rewarded upon from a revenue point of view from a risk quantification and and trying to actually understand a business i didn't realize dataccom is such a large elephant from everything from a digital marketing agencies to SASbased applications through to managing you know federal and state and local government agencies everything from desktop support all the way down to citizen engagement so such a a large uh amount of services and so I've had to learn the business to really understand how security impacts that business not only from a level of trust and risk but how does it relate that back to revenue or revenue loss if something actually occurs from a cyber security point of view and I think this goes back to a a PWC study that I read last year around uh 87% of customers ditch brands after a breach so we need to be proactive um I think the other thing is that f enable faster innovation ai is a great example of this so instead of saying and being Dr no how do I provide you a development environment that actually accelerates AI advancement so they can actually try something and learn AI agents uh provide uh obuscated data for LLMs to be trained upon in an environment where we've got the guard rails of security and governance associated to it so that they're not you know connecting to the internet it's a very secure environment and if they want to then proceed into a a proof of concept with a customer again we've gone through those security steps and engaged the gates of those developments as well and I think that's where we start to see cyber security going from a cost center to being a competitive differentiator into the market as well so look it's still a tricky economic time for businesses so with budgets under pressure where should CIOS focus their cyber security investments for maximum impact yeah I think I I think going back to that uh cyber hygiene point of view i think you know the employee training with teeth you know incentives around it role-based uh focused areas i think the um more from an automation around the incident response um and the AI threat detection capabilities so we've started to see um AI being brought into not only from the products into the security operation center but how at a network level so a lot of the AI components from a threat prevention point of view is now coming into those environments i think the other thing is just to make sure that security doesn't become uh obsolete you know looking at legacy perimeter defense strategies and static compliance tools it it's no use doing a compliance at that point of time throughout the year when customers are coming at us multiple times through every month about oh what's your compliance status at this point of time so how do we automate that compliance and become more dynamic and even empower the customers to come into a trusted site so you can actually see your environment at that point of time from a compliance point of view and that provide that level of trust and so and the last one is you know companies don't like being the integrator so instead of buying siloed point solutions which is very disjointed and needing a lot of integration and a lot of um resource management and training associated to it how do I look at more of a platform type of architecture that stitches and stretches the dollar further from a budget point of view and finally Colin if we're having this conversation a year from now what do you think will have changed and you know what what what's the next big challenges that CIOS CISOs should be preparing for in Australia and New Zealand well firstly I'd love to have an interview next year i think it'd be great to to take what we've discussed now and and actually see where it is but I think how to prepare is really lock AI down now um look at the tools that people are using internally uh look at the policies that we have if there is AI development that's incurring internally provide the guard rails and the safe place for developers to actually trial and trial fast and and build out those proof of concepts to really um look at security being a part of that process instead of at the end of it saying hey let's now talk security i think um building resilience not just defense so it goes back to that business continuity guidelines and um and making sure that that's exercise it's it's no use having a plan if you're not exercising that throughout the year um there's always going to be a discussion around out upskill or outsource and I think that's going to be a very interesting conversation in the future especially around AI so that teams are not getting left behind through the use of AI tools and I think the biggest one is collaborate um uh regionally so it's not only across Australia and New Zealand but it's also across different industry sectors some industry sectors are actually doing it you know are more advanced from a cyber security point of view infrastructure as code they you know they they've passed a multicloud environment and now it's infrastructure as code and developers are now pushing all the way through from code to cloud capability so the collaboration across not only regionally but also from an industry point of view it's going to be an interesting 12 months ahead colin Penman Chief Information Security Officer at Datacom thank you so much for your time today thank you Kathy and see you next year
2025-04-11 05:50
